Get the latest news & insights

COMMENTARY

Why NAC should stop quibbling about ATM skimming stats

The National ATM Council, a trade group for independent ATM operators, has thrown a two-year hissy fit over FICO statistics indicating that the majority (64 percent in 2015, 60 percent in 2016) of bankcard compromises in the U.S. occurred at nonbank ATMs. The remainder occurred at bank ATMs and the nation's 10 million point-of-sale devices, according to FICO.

In a letter repudiating the most recent FICO "report" (NAC persistently framed the word in quotation marks, the literary equivalent of an eye roll), the council proceeded to flog the messenger while missing the message. Adding insult to injury, the flogging was pretty much uncalled-for.

In the first graph, NAC writes, "The truth is that some of the largest owners of FICO are the big banks themselves," and later, " … hundreds of millions of dollars in FICO stock is owned by the nation’s largest banks."

That might be troubling if it were true. But it's not.

FICO's largest shareholders are the institutions and funds listed here, information that's as easy to find as typing "Who are FICO's major shareholders?" in your browser bar, which NAC apparently has not tried.

Having established its false premise within the first paragraph, the council proceeds to chuck in a load of additional canards for good measure:

A review of blogs about skimming incidents at Krebs on Security proves that bank ATMs are more likely to be skimmed. (Or that Brian Krebs mostly writes about high-profile incidents.)

Cardholders are more likely to have their card skimmed at an outdoor unattended bank ATM than an attended in-store ATM. (Except that many nonbank ATMs are not in stores, and when they are, clerks are not "attending" the ATM, they're attending customers at the POS.)

FICO doesn't provide a definition of card compromise, so they must be referring to both counterfeit cards and card skimming.(Or they never defined it because after 50 years, the entire ATM industry knows exactly what a card compromise is and understands that it's completely different from card counterfeiting, which FICO confirms here.)

If big banks and networks really cared about card skimming they would remove the mag stripe from payment cards. (Because consumers would be so understanding about having their card rejected at a non-EMV fuel pump when their car is running on fumes.)

Big banks want to scare their cardholders away from using retail ATMs. (Never mind that FIs in increasing numbers are lining up to cobrand with retail ATM operators as a way to heighten their visibility and keep their customers happy.)

In its letter, NAC also refers early and often to a survey it conducted after the publication of last year's FICO report.

NAC said that it interviewed 166 members whose fleets ranged in size from a single ATM to more than 5,000 terminals. The council reported that 154 of these 166 members, representing "many tens of thousands [of] ATMs from around the country" had "NEVER run into a skimming device on their ATMs."

But this survey is another flawed foundation for NAC's arguments because:

the objectivity is questionable — Who had an axe to grind? NAC. And any polling professional knows that agenda-driven studies yield agenda-serving results;

participants are not representative of the whole — Who joins ATM industry groups? People who are most invested in and responsible about protecting the reputation and security of their business. Who did NAC poll? Members; and

the sample size is too small and too narrow — for an apples-to-apples comparison with FICO figures, NAC must conduct a proportional, weighted study of the same groups FICO looked at: bank ATMs; nonbank ATMs; and POS devices.

NAC pits the results of its unscientific survey of friendlies against a year's-worth of big data compiled by a party that doesn't have a dog in the fight. That's not even a contest.

Never mind that, if it were, the outcome is approaching irrelevance.

NAC worries that a report like FICO's will drive consumers away from retail ATMs. Understandable. If consumers put much thought into which ATMs are whose.

But while some consumers have become more aware of card skimming, few could tell you whether a freestanding ATM at the airport is owned by the bank whose brand appears on it or an independent operator who offered it for cobranding. And if they're headed to Vegas for the weekend and need cash, they're not terribly likely to care one way or another.

On the other hand, consumers are getting pretty good at distinguishing chip and nonchip card readers. They've been using chip terminals now for 18 months while absorbing endless media reports about all the reasons why they're safer than nonchip.

As time goes on, ATM users will become increasingly leery of card readers that don't read chips. And they will become more trusting of EMV-enabled terminals, if only because they perceive that the deployer has at least taken a responsible interest in their security.

All terminals — bank and non-bank — will continue to be subject to card skimming until issues of backward compatibility are resolved and networks can remove the mag stripe without worrying that outraged cardholders will take up torches and pitchforks.

In the meantime, consumers will begin to notice the disappearance of non-EMV ATMs when retail deployers devastated by chargeback losses leave the business — as happened in Canada when EMV was implemented there.

These factors will weigh far more heavily on the retail ATM sector than any FICO statistic.

And in the end, consumers will have fewer options for cash access, just as NAC warned.

Different reason, same result.

Which is why, at this late date, fussing at FICO is a distraction from the critical work industry groups need to accomplish.

Suzanne Cluckey Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally. She is now the editor of ATMmarketplace.com and BlockChainTechNews.com www